Minimize wildcard use in Roles and ClusterRoles

HIGH

Description

Description:

Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard "*" which matches all items.

Use of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product.

Rationale:

The principle of least privilege recommends that users are provided only the access required for their role and nothing more. The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API.

Remediation

Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.

Policy Details

Rule Reference ID: AC_K8S_0104

CSP: Kubernetes

Remediation Available: No

Domain: Identity and Access Management

Resource: kubernetes_role

Resource Category: Management

Resource Type: Role

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
CIS Kubernetes v1.6.1 Level 1 - Worker Node
CIS Amazon Elastic Kubernetes Service (EKS) v1.1.0 Level 1
CIS Amazon Elastic Kubernetes Service (EKS) v1.3.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.1.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.3.0 Level 1
NSA CISA Kubernetes Hardening Guide 1.0
CIS Google Kubernetes Engine (GKE) v1.2.0 Level 1 - Master Node
CIS Google Kubernetes Engine (GKE) v1.4.0 Level 1